Ruby on Rails Security Vulnerabilities

| by Robert Bazinet Follow 0 Followers on Sep 08, 2009. Estimated reading time: 3 minutes |

There has been a buzz around the Ruby on Rails community lately with discovered security vulnerabilities and subsequent updates every Rails developer should be made aware.

Cross-Site Scripting Vulnerability

The first, and probably the most severe, is a Cross-Site Scripting (XSS) vulnerability discovered by Brian Mastenbrook and reported on his blog.  Brian describes how he cross-site scripted Twitter and 37signals Basecamp produce, both Ruby on Rails applications.

My attention quickly turned to Twitter, the only web application I had open at that moment. A few minutes later, I had JavaScript from a URL query parameter falling through the escaping routines and running in the main body of Bingo! Cross-site scripting, the stuff that Twitter worms are made of. But was this a Twitter-specific issue, or did it affect other sites too?

I quickly pulled up a test Basecamp account I had made a while ago. Basecamp, like Twitter, uses Ruby on Rails for its web frontend, so this would be a good way to determine whether the issue was in Rails or if it was specific to Twitter. Sure enough, the same malformed UTF-8 sequence that worked on Twitter also worked on Basecamp.

Although the likelihood of such an attack is not very high, the Ruby on Rails team was quick to respond, verifying the issue and issuing patches for Rails versions 2.0-2.3.

The patches are in a format suitable for git-am and consist of two changesets. The code for cleansing multi-byte strings, and the introduction of that code to the relevant helpers.

The team advises upgrading any unsupported version of Rails to a recent version as issues in the future may not be back ported as these are today.  It should be noted that only Rails versions 2.2.x and 2.3.x are considered to be supported versions.

Timing Weakness

The second issue discovered was related to Timing Attacks.  Such an attack is related to how Rails verifies message digests in the cookie store and might allow an attacker to determine when a forged signature is partially correct.  This could lead to additional attacks by this process, possibly forging the digest.

The Rails teams admits this sort of attack is unlikely, they suggest patching systems.  Patches were made available to supported Rails versions 2.2.x and 2.3.x:

The patches are in a format suitable for git-am and consist a single changeset which implements

Coda Hale is credited with uncovering the timing weaknesses in Rails.  His web site does a very good job of explaining what a time weakness is and how they are exploited.

Ruby on Rails 2.3.4

Those Rails developers not wanting to patch their Rails applications can get the latest patches in a new version of Ruby on Rails, 2.3.4 that includes bug fixes and updates for the two security vulnerabilities mentioned above.

Security Fixes

2.3.4 contains fixes for two security issues which were reported to us. For more details see the security announcements:

Bug Fixes

Thanks to the success of the BugMash we have around 100 bug fixes as part of this release. Of particular not is the fix to reloading problems related to rack middleware and rails metals when running in development mode.

This release also includes a new feature for adding seed data to a project database with a simple rake db:seed command.

Rate this Article

Adoption Stage

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread


Login to InfoQ to interact with what matters most to you.

Recover your password...


Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.


More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.


Stay up-to-date

Set up your notifications and don't miss out on content that matters to you